Source code security analysis provides a capability of identifying application security flaws through analysis of the application code. The analysis typically searches for and locates paths from entry points to output points that do not contain validations for the input provided by a user. Static analysis source is a commonly used term for an entry point. For example Request.getParameter(name) is a source because the function enables retrieving input. Sink is a term used to represent sensitive locations where malicious input could arrive. For example a database or a response could be a sink. Trace refers to a path from a source to a sink created from a sequence comprising various function calls and operations.
Web application security scanning (WASS) provides a capability of identifying application security flaws by sending attacks to a target application and analyzing the responses generated to validate application vulnerabilities. The scanning is also referred to as dynamic analysis. Communication with the target application during Web application security scanning typically occurs using a secure hypertext transport protocol HTTP(S).
Unit testing is a common development practice, which provides input values to pre-determined functional components and validates the outputs received against an expected set of results. Source code security analysis typically produced a certain amount of false positives because a static analysis uses a set of assumptions to find vulnerabilities that a specific portion of code will react in a certain way. Thus, a method of verifying findings produced by static analysis typically used during unit testing also creates false positives.
Web application security scanning typically misses a percentage of vulnerabilities due to coverage issues. For example, rich Internet applications, containing a significant amount of client side logic can be very difficult to scan in an automated fashion. The hypertext transport protocol (HTTP) layer can also be very unstable and communication problems can therefore affect the duration of the scanning and the consistency of the results. WASS requires a full application to be deployed; however, as developers often only work on a smaller project and use unit tests to verify the functionality adds to difficulties in using WASS. Techniques used to correlate results of code analysis with web application scanning results can increase the confidence of results found by both techniques; however, the correlation will typically not provide useful information for results that are not matched.